The Risks of ‘Bring Your Own App’ Policies at Work–and How to Make Them Safer

As technology evolves, the way employers allow their staff to get their work done changes alongside. With the proliferation of the mobile workforce in recent years, policies such as “bring your own device” (BYOD) have exploded in popularity – leading to the next stage of the cycle: “bring your own apps” (BYOA). This is fueled by more employees choosing to augment or forego company-provided software and using their preferred apps for file sharing, doc editing, travel and more. However, the problem with the policy is there is no easy way for employers to know the risk of these third-party mobile apps, which can leave the employee and company vulnerable to compromise.

Risks Associated with BYOA Policies

Whether a cybercriminal is after intellectual property, employee data or customer information, unmonitored mobile apps are perfect entry points for company surveillance and possibly data theft. By introducing these unchecked apps, enterprises can be impacted in several different ways. For example:

One of your employees is using a corporate credit card for a business trip. They are using a travel app that is insecure. Not only is their personal information at risk of being stolen, someone may be able to retrieve a copy of the company credit card and then run up fraudulent charges.

A staff member enjoys taking notes on their phone’s built-in note app that syncs data with the cloud. This individual takes notes for all of the key staff and client meetings. Because the notes app is not certified or sanctioned, the data could be exposed on the device or in the cloud where hackers could get their hands on client information and use it to exploit the company.

An employee’s phone uses an unsanctioned app for file sync and share, storing documents with the company’s patented formula for fiber optics or plans for a new breakthrough product. If the document is being stored in an unencrypted app, on an unencrypted device, this critical intellectual property is at risk.

At your company, employees are encouraged to use ride-sharing apps whenever they are away for business. Some users don’t follow good hygiene and use the same user ID and password for the ride share app as their laptop login. If a cybercriminal gets their hands on an individual’s ride sharing details, they can potentially use those credentials to gain access to a business’s network and data.

And here is an example we’ve witnessed firsthand. A very large NowSecure customer had 80,000 mobile devices being used by employees – and had no idea of what kinds of apps they were utilizing on their network. The company provided a full mobile app inventory to NowSecure with a total of over 13,000 apps in play.

After running vulnerability and security tests on the thousands of mobile apps and evaluating the risk level times volume of users, the enterprise received a high risk, negative score. In the process, NowSecure discovered the company had no formal policy about the type of apps that were on devices employees brought into work. And all along, the organization’s employees simply viewed using their own apps as a nice perk, not recognizing the security holes that they were introducing.

How to Protect Your Business

So what should companies do to help protect themselves and their employees from being victims of a cybersecurity breach or data exploitation while still allowing staff to use their own BYOA mobile apps?

Educate employees on app safety

Encourage your employees to only use mobile apps from reputable companies and to search the internet by Googling an app they are not sure about. For Android users in particular, make sure to look carefully at the permissions when downloading to install an app and to always keep permission access to a minimum.

Inventory and vet employee apps while following AppSec advancements

The key to ensuring your BYOA policy does not put your company at risk is to stay educated and informed on all of the latest in app development and security news. Leverage third-party app vetting solutions such as NowSecure INTEL to monitor all third-party apps and test for security, privacy and compliance issues. By knowing which apps might put your company at risk, you can advise your staff not to use them, especially in a work setting.

Implementing Security throughout the Software Lifecycle

And how can the developers ensure the apps that they are creating are secure – to help prevent these types of intrusions for their users?

Build security into company apps.

With tight deadlines to meet, DevOps teams typically focus on getting their application out on time rather than ensuring security is implemented throughout the process. Security teams should work closely with developers to ensure they are incorporating testing throughout the entire app building process, so there is less work on fixing vulnerabilities and bugs after the app is already in use.

Use DAST and SAST on your devices during mobile AppDev lifecycle.

Incorporating dynamic application security testing (DAST) and static application security testing (SAST) will ensure that your development team is following the DevSecOps process. SAST solutions can analyze application source code for coding and design conditions to check for security vulnerabilities. DAST technologies test binaries via an attacker point of view to identify key vulnerabilities in data at rest, data in motion. NowSecure and WhiteHat partner to bring comprehensive mobile SAST and DAST together.

Ensuring companies are protected from insecure apps is a collaborative effort between the employer, the employees and even the app developers. If each group remains diligent and follows the tips above – everyone can improve their security ‘app-titude.’

Cookie Use

We use cookies to store information on your computer that are either essential to make our site work or help us personalize and improve the user experience. By using this site, you consent to the placement of these cookies. To learn more, see our Cookie Policy.